[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

Author: stepsecurity-app[bot]

.github/workflows/build-push.yaml

@@ -40,7 +40,7 @@ jobs:
           go-version-file: ${{ matrix.image }}/go.mod
 
       - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.0.2
-      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
+      - uses: step-security/setup-ko@3b4d97844e4277c74a9d77ac00052d8ce96580d3 # v0.9.0
 
       - env:
           KO_DOCKER_REPO: ghcr.io/chainguard-dev/${{matrix.image}}

.github/workflows/build.yaml

@@ -32,7 +32,7 @@ jobs:
         with:
           go-version-file: ${{ matrix.image }}/go.mod
 
-      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
+      - uses: step-security/setup-ko@3b4d97844e4277c74a9d77ac00052d8ce96580d3 # v0.9.0
       - uses: chainguard-dev/actions/setup-registry@3e8a2a226fad9e1ecbf2d359b8a7697554a4ac6d # main
 
       - working-directory: ${{ matrix.image }}

image-mapper/Dockerfile

@@ -1,4 +1,4 @@
-FROM cgr.dev/chainguard/go:latest AS builder
+FROM cgr.dev/chainguard/go:latest@sha256:8df9dd7beb988f8f912df54c036ea44e4b11455da5d33e2a4eb2d19de75820c8 AS builder
 
 WORKDIR /app
 
@@ -11,7 +11,7 @@ COPY cmd cmd
 
 RUN CGO_ENABLED=0 go build -o image-mapper .
 
-FROM cgr.dev/chainguard/static:latest
+FROM cgr.dev/chainguard/static:latest@sha256:9cef3c6a78264cb7e25923bf1bf7f39476dccbcc993af9f4ffeb191b77a7951e
 
 COPY --from=builder /app/image-mapper /usr/local/bin/image-mapper